LINK: https://www.thehindu.com/opinion/editorial/zero-stars-on-the-sanchar-saathi-app/article70349952.ece

Why in the News

A debate was recently sparked following directives from the Department of Telecommunications (DoT) aimed at curbing sophisticated cybercrimes, including a mandate for smartphone manufacturers to pre-install the Sanchar Saathi app on all new devices by March 2026, a measure which has been criticised as an overkill concerning privacy and state surveillance.

Background: The Challenge of Cybercrime

The government’s directives were initiated in response to the growing sophistication and urgency of cybercrimes, which exploit existing security gaps in the telecom ecosystem.

Security Vulnerabilities Exploited by Cybercriminals

• Instant Messaging Anonymity: Cybercriminals have exploited a security gap where user accounts on instant messaging apps remain functional even after the associated SIM card has been removed, allowing for anonymous, large-scale cross-border scams such as “digital arrests” and government impersonation fraud.
• Device Tracking Difficulty: The rampant use of spoofed or tampered International Mobile Equipment Identity (IMEI) numbers has made tracking perpetrators nearly impossible for law enforcement agencies.

Government’s Dual Directives (November 28 and December 1)

The DoT issued two directives seeking sharper tools to address these software and hardware vulnerabilities:

• Directive 1: SIM Binding (Security Patch)
  • Mandates “SIM binding,” ensuring that a user’s instant messaging account is disabled if the physical SIM is removed.
  • This measure is considered a security patch that could inconvenience WhatsApp/Internet messaging users.
• Directive 2: Sanchar Saathi App Pre-installation (Cure or Damage?)
  • Mandates that smartphone manufacturers must pre-install the Sanchar Saathi app to verify device authenticity in all new devices by March 2026.
  • This measure is cautioned against, being reminiscent of the saying that the road to hell is often paved with good intentions, as the solution could potentially be more damaging than the disease of counterfeit handsets and spoofed IMEI numbers.

Concerns: Privacy, Surveillance, and Legal Tests

The mandatory pre-installation of the Sanchar Saathi app has attracted severe scrutiny regarding its potential for misuse and its compliance with constitutional principles.

Potential for Misuse and Surveillance

• Higher Security Clearance: The directive explicitly instructs that the app must be “readily visible and accessible to the end users at the time of first use or device setup and that its functionalities are not disabled or restricted.”
  • This suggests the app will be given a higher security clearance within the phone’s operating system.
• Intrusive Access: The elevated clearance is feared to allow the app more intrusive access to features such as camera, phone, or SMS access.
• Risk of Surveillance: The potential for misuse of this app for state surveillance and its utilisation by a malicious entity after compromise to target millions of users is very present and clear.
• Precedent of Misuse: This fear is not considered empty, given the past reported use of Pegasus software to target the political opposition, journalists, and activists.
• Panopticon Functionality: Notwithstanding the clarification by Union Minister Jyotiraditya Scindia that users could delete the app, the directive’s text mandating that the app cannot be disabled suggests that it will function more as a Panopticon and less as a simple verification tool.

Constitutional And Legal Framework

K.S. Puttaswamy Judgment (2017): Right To Privacy Standards

Supreme Court of India’s landmark judgment in K.S. Puttaswamy case (2017) established constitutional framework for evaluating state intrusions into privacy rights of citizens.

Tests Established for State Intrusion into Privacy:

• Test of Legality: Any state intrusion into privacy must be authorized by valid law and must not be arbitrary or unauthorized executive action
• Test of Necessity: Intrusion must be demonstrated as necessary for achieving legitimate state aim and must not be merely convenient or desirable
• Test of Proportionality: Measures adopted must be proportionate to objective sought and must not exceed what is necessary to achieve legitimate purpose

Application Of Proportionality Standard To Sanchar Saathi Directive

Sanchar Saathi app mandate has been evaluated against proportionality standard established by Supreme Court, revealing failure to satisfy constitutional requirements.

Proportionality Analysis:

• Less Intrusive Alternatives Exist: Government already possesses less intrusive means to verify device genuineness without mandatory app installation
• Sanchar Saathi Web Portals: Already operational web-based verification systems enable device authenticity checking without app installation
• SMS-Based Checks: Existing SMS-based verification mechanisms provide device authentication without requiring intrusive app access
• USSD Codes: Universal Supplementary Service Data codes offer alternative verification method requiring no app installation or enhanced system access
• Failure of Proportionality Standard: By ignoring these less invasive alternatives, directive on Sanchar Saathi fails proportionality standard required by constitutional jurisprudence
• Constitutional Non-Compliance: Directive represents state intrusion exceeding what is necessary when effective less intrusive alternatives are available and operational

Industry Response And Compliance Concerns

Privacy-Conscious Manufacturer Refusal

Directive has encountered resistance from smartphone manufacturers prioritizing user privacy in their device design and operational philosophy.

Manufacturer Response:

• Apple has reportedly refused to comply with order mandating Sanchar Saathi app pre-installation.
• Refusal attributed to manufacturer’s privacy-conscious approach to device design and user data protection.
• Apple’s resistance characterized as unsurprising given company’s established reputation for prioritizing user privacy over governmental compliance demands.
• Manufacturer refusal creates implementation challenges for directive and raises questions regarding enforcement mechanisms.

Way Forward: Upholding Rule of Law and User Choice

For addressing cybersecurity threats effectively while respecting fundamental rights, government action must be re-evaluated to prioritise less invasive measures and adhere to constitutional mandates.

• The proportionality standard established by the Supreme Court must be rigorously upheld when drafting and implementing policies that impact the fundamental right to privacy.
• Less invasive, existing mechanisms like the Sanchar Saathi web portal, SMS, and USSD codes should be adequately promoted and leveraged for device genuineness checks.
• Clear, unambiguous assurance must be provided that the app’s access rights will be strictly limited to its stated purpose, mitigating the potential for state surveillance or misuse by malicious entities.
• User consent and choice should be paramount, ensuring citizens have the ability to refuse, control, or remove any app that functions outside their explicit consent, without compromising device functionality.

Conclusion

• The mandatory pre-installation of the Sanchar Saathi app exemplifies a critical tension between the State’s legitimate need to combat cybercrime and the citizen’s right to privacy.
• While the intent to curb threats like spoofed IMEI numbers and digital arrests is valid, the current solution, by potentially granting high-level access and ignoring less intrusive alternatives, is judged to be an overkill that fails the essential test of proportionality.
• Future cybersecurity initiatives must prioritise transparency, user control, and adherence to constitutional safeguards to prevent the cure from becoming potentially more damaging than the disease.

Right to Privacy vs. Cybersecurity

The rise of the Digital Economy and e-Governance in India has made both the protection of individual data rights and the security of digital infrastructure paramount. The Right to Privacy, affirmed as a Fundamental Right under Article 21 by the Supreme Court in the landmark K.S. Puttaswamy v. Union of India (2017) judgment, seeks to protect informational self-determination.

In parallel, Cybersecurity refers to the measures taken to protect systems, networks, and data from cyber threats, which is vital for National Security and Critical Information Infrastructure (CII). The relationship is symbiotic, yet often conflicting, forming a central dilemma in modern governance.

Conceptual Distinction

Feature	Right to Privacy (Data Privacy)	Cybersecurity (Data Security)
Core Principle	Right to be Let Alone and the right to control one’s personal data. It is a fundamental right.	Protection of digital assets (data, systems, networks) from unauthorized access, attacks, and damage.
Objective	Ethical and Legal Use of personal data. Ensures data is collected, processed, and shared lawfully, with consent, and for a legitimate purpose.	Confidentiality, Integrity, and Availability (CIA Triad) of data and systems against cyber threats.
Focus	The Data Principal (Individual): Their rights, consent, transparency, and control over their own data.	The Data (System): The mechanisms (tools, technology, processes) to keep the data safe.
Legal Basis in India	Article 21 of the Constitution (K.S. Puttaswamy v. UOI, 2017 Judgment). Facets protected under the Digital Personal Data Protection (DPDP) Act, 2023.	Information Technology (IT) Act, 2000 (especially Section 43A and 66). Policies like the National Cyber Security Strategy.
Failure Example	Privacy Failure: A company securely stores user data but sells it to a third party without informed consent (e.g., Cambridge Analytica scandal).	Cybersecurity Failure: A hacker breaches a company’s encrypted server and steals user data (e.g., a Ransomware attack).
Mantra	Data Protection by Design and Data Minimisation.	Zero Trust Architecture and Advanced Threat Detection.

Conflict/Tension in Policy & Implementation

Area of Conflict	Right to Privacy Perspective	Cybersecurity/National Security Perspective
Surveillance & Interception	Mass surveillance (e.g., government monitoring of digital communications) is a clear violation of privacy and fundamental rights. Requires judicial/legislative oversight.	Lawful interception and real-time monitoring of communications are essential to prevent terrorism, organised crime, and ensure national security. Needs access to encrypted data.
Data Retention	Data must be retained for the shortest necessary period (Data Minimisation). Extended retention increases the risk of a breach and privacy infringement.	Cybersecurity forensics and incident response require retention of logs, traffic data, and other records for extended periods to track and prosecute cybercriminals/state actors.
Data Localisation	Can be viewed as a threat if it leads to greater State surveillance within national borders without adequate legal safeguards.	Necessary for national security and law enforcement, ensuring data of critical importance is within the sovereign jurisdiction and accessible during a crisis or investigation.
Encryption	End-to-end encryption is paramount to safeguard informational privacy and freedom of expression (secure communication).	Encryption can be a “safe haven” for criminals and terrorists. Government advocates for a “backdoor” or “key escrow” for legitimate law enforcement access.
Transparency & Accountability	State actions must be transparent, necessary, and proportionate (Puttaswamy Test). Individuals must have the right to know what data is being collected.	Public disclosure of surveillance capabilities or cybersecurity vulnerabilities can be a threat to national security by alerting adversaries.

Way Forward: Balancing and Synergy

Strategy	Description	How it Achieves Balance
Proportionality and Necessity	Any state intrusion on privacy must pass the triple test (Puttaswamy Judgment): Legality, Legitimate State Aim, and Proportionality.	Ensures security measures (like surveillance) are the least intrusive necessary to achieve a legitimate public or national security goal.
Privacy by Design (PbD)	Incorporating privacy and data protection into the design and architecture of IT systems, networks, and business practices from the outset, not as an afterthought.	Ensures that robust cybersecurity (the ‘security’) is built in a way that respects the individual’s right to control their data (the ‘privacy’).
Pseudonymisation	Techniques to strip data of direct identifiers or replace them with a pseudonym, making it difficult to link data to an individual without a key.	Allows security analysis (e.g., threat detection, anomaly monitoring) on a large dataset without compromising the individual’s identity/privacy.
Clear, Specific Legal Frameworks	Implementing a robust Data Protection Law (like DPDP Act) and simultaneously reviewing and updating archaic laws (e.g., Indian Telegraph Act) with clear surveillance guidelines.	Provides a definitive legal basis for both privacy rights and legitimate state access, reducing ambiguity and preventing arbitrary action.

Conclusion

• The debate between the Right to Privacy and Cybersecurity is not one of elimination but of harmonisation. In a democratic framework like India’s, the approach must be to build a human-centric digital ecosystem where robust security serves as the technical foundation for the fundamental right to privacy.
• The successful implementation of the Digital Personal Data Protection Act, 2023, with its focus on accountability and consent while providing legitimate exceptions for state security, will be the key to achieving this necessary constitutional balance in the age of digital transformation.

UPSC MAINS PYQs

1. Examine the scope of Fundamental Rights in the light of the latest judgement of the Supreme Court on Right to Privacy. (2017)